LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
433 Commits
12 Branches
967 KiB
Tree: 42212333a4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '42212333a4'
${ noResults }
lilik_playbook/roles/ldap/tasks/1_configure_server.yaml

237 lines
7.3 KiB
Raw Normal View History

roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
Use static import instead of dynamic include When feasible, allows better tag/task filtering.
4 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
Use static import instead of dynamic include When feasible, allows better tag/task filtering.
4 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: fix logging
4 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: configuration improvements
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: configuration improvements
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: add syncrepl support
4 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: add syncrepl support
4 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: add syncrepl support
4 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: add syncrepl support
4 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: do not enforce ssf if tls disabled Do not enforce the use of TLS for plain text authentication ONLY if tls is not enabled for this LDAP instance.
5 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: fix acl to add user to groups
4 years ago
roles/ldap: add syncrepl support
4 years ago
roles/ldap: fix acl to add user to groups
4 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: add syncrepl support
4 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: add syncrepl support
4 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: add syncrepl support
4 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: add syncrepl support
4 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: add syncrepl support
4 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: add syncrepl support
4 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: add syncrepl support
4 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: do not enforce ssf if tls disabled Do not enforce the use of TLS for plain text authentication ONLY if tls is not enabled for this LDAP instance.
5 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: add syncrepl support
4 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: add syncrepl support
4 years ago
roles/ldap: configuration improvements
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
 
  1. ---

  2. - import_role: name='service'

  3.   vars:

  4.     service_name: 'nscd'

  5.     service_packages: 'nscd'

  6. 

  7. - name: 'set debconf values'

  8.   debconf:

  9.     name: 'slapd'

  10.     question: '{{ item.question }}'

  11.     vtype: 'string'

  12.     value: '{{ item.value }}'

  13.   register: debconfs

  14.   loop:

  15.     - { question: 'slapd/domain', value: '{{ ldap_domain }}' }

  16.     - { question: 'slapd/dump_database', value: 'when needed' }

  17.     - { question: 'shared/organization', value: '{{ ldap_organization }}' }

  18. 

  19. - import_role: name='service'

  20.   vars:

  21.     service_name: 'slapd'

  22.     service_packages:

  23.         - 'slapd'

  24.         - 'ldap-utils'

  25.         - 'libpam-ldap'

  26.         - 'python3-ldap'

  27.         - 'sudo'

  28. 

  29. - name: 'delete old backups'

  30.   file:

  31.     path: '{{ item }}'

  32.     state: 'absent'

  33.   with_fileglob: '/var/backups/*.ldapdb'

  34.   when: debconfs.results[0].changed

  35. 

  36. - name: 'backup old database and re-create'

  37.   command: 'dpkg-reconfigure -p critical slapd'

  38.   when: debconfs.results[0].changed

  39. 

  40. - name: 'start slapd service'

  41.   service:

  42.       name: 'slapd'

  43.       enabled: true

  44.       state: 'started'

  45. 

  46. - name: 'copy schemas'

  47.   copy:

  48.     src: '{{ item }}'

  49.     dest: '/etc/ldap/schema/'

  50.   loop:

  51.     - 'ldapns.ldif'

  52.     - 'kerberos.ldif'

  53.     - 'phamm.ldif'

  54.     - 'phamm-vacation.ldif'

  55. 

  56. - name: 'activate schemas'

  57.   command:

  58.     cmd: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }}'

  59.     creates: '/etc/ldap/slapd.d/cn=config/cn=schema/cn={*}{{ item }}'

  60.   loop:

  61.     - 'ldapns.ldif'

  62.     - 'kerberos.ldif'

  63.     - 'phamm.ldif'

  64.     - 'phamm-vacation.ldif'

  65. 

  66. - name: 'activate modules'

  67.   ldap_attr:

  68.     dn: 'cn=module{0},cn=config'

  69.     name: 'olcModuleLoad'

  70.     values:

  71.       - '{0}back_mdb'

  72.       - '{1}pw-sha2'

  73.       - '{2}auditlog'

  74.       - '{3}memberof'

  75. 

  76. - name: 'create log dir'

  77.   file:

  78.     path: '/var/log/openldap'

  79.     owner: 'openldap'

  80.     group: 'openldap'

  81.     state: 'directory'

  82. 

  83. - name: 'set loglevel'

  84.   ldap_attr:

  85.     dn: 'cn=config'

  86.     name: 'olcLogLevel'

  87.     state: 'exact'

  88.     values: 'conns acl'

  89. 

  90. - name: 'activate auditlog overlay'

  91.   ldap_entry:

  92.     dn: 'olcOverlay={0}auditlog,olcDatabase={{ item.db }},cn=config'

  93.     objectClass:

  94.       - 'olcOverlayConfig'

  95.       - 'olcAuditLogConfig'

  96.     attributes:

  97.       olcAuditlogFile: '/var/log/openldap/{{ item.logfile }}'

  98.   loop:

  99.     - { db: '{0}config', logfile: 'audit_config.ldif' }

  100.     - { db: '{1}mdb', logfile: 'audit_mdb.ldif' }

  101. 

  102. - name: 'activate memberof overlay'

  103.   ldap_entry:

  104.     dn: 'olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config'

  105.     objectClass:

  106.       - 'olcOverlayConfig'

  107.       - 'olcMemberOf'

  108. 

  109. - name: 'set default password hash'

  110.   ldap_attr:

  111.     dn: 'olcDatabase={-1}frontend,cn=config'

  112.     name: 'olcPasswordHash'

  113.     values: '{SSHA512}'

  114. 

  115. - name: 'configure TLS x509 <-> ldap dn translation'

  116.   ldap_attr:

  117.     dn: 'cn=config'

  118.     name: 'olcAuthzRegexp'

  119.     state: 'exact'

  120.     values:

  121.       - >-

  122.        {0} ^cn=([^,]+),ou=Server,{{ ldap_x509_suffix }}$

  123.        cn=$1,ou=Server,{{ ldap_basedn }}

  124.       - >-

  125.        {1} ^mail=[^,]+,cn=([^,]+),ou=People,{{ ldap_x509_suffix }}$

  126.        cn=$1,ou=People,{{ ldap_basedn }}

  127.       - >-

  128.        {2} ^cn=([^,]+),ou=LDAP,{{ ldap_x509_suffix }}$

  129.        cn=$1,ou=LDAP,{{ ldap_basedn }}

  130. 

  131. - name: 'configure main tree acls'

  132.   ldap_attr:

  133.     dn: 'olcDatabase={1}mdb,cn=config'

  134.     name: 'olcAccess'

  135.     state: 'exact'

  136.     values:

  137.       # TOFIX: Remove hardcoded IP

  138.       - >-

  139.         {0} to dn.exact={{ ldap_basedn }} attrs=entry,objectClass,contextCSN

  140.         by peername.regex=10\.150\.42\..* read

  141.         by * break

  142.       - >-

  143.         {1} to dn.subtree={{ ldap_basedn }}

  144.         {% if ldap_syncrepl_is_provider %}

  145.         by dn.children=ou=LDAP,{{ ldap_basedn }} tls_ssf=256 read

  146.         {% endif %}

  147.         by * break

  148.       # [0] -> Admins can proxy-auth to RootDN

  149.       # /proxy-auth is not required for routine user-management operations

  150.       - >-

  151.         {2} to dn.exact=cn=admin,{{ ldap_basedn }} attrs=authzFrom

  152.         by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} auth

  153.         by * none

  154.       # [1] :: ou=People

  155.       # [1.0] -> Admins can edit People `userPassword`

  156.       #       -> People can edit their `userPassword`

  157.       #       -> Anyone can auth with `userPassword` if using strong TLS.

  158.       - >-

  159.         {3} to dn.one=ou=People,{{ ldap_basedn }} attrs=userPassword

  160.         by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write

  161.         by self write

  162.         by anonymous {{ 'tls_ssf=256 ' if ldap_tls_enabled }}auth

  163.         by * none

  164.       # [1.1] -> Admins can add/remove People entries

  165.       - >-

  166.         {4} to dn.exact=ou=People,{{ ldap_basedn }} attrs=children

  167.         by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write

  168.         by * none

  169. 

  170.       # [1.2] -> Admins can list the full People tree

  171.       #       -> Servers can perform search on People tree

  172.       - >-

  173.         {5} to dn.exact=ou=People,{{ ldap_basedn }}

  174.         by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} read

  175.         by dn.children=ou=Server,{{ ldap_basedn }} search

  176.         by * none

  177.       # [1.3] -> Admins can edit all People attributes

  178.       #       -> Servers can read all People attributes (except userPassword)

  179.       #       -> People can read all their attributes

  180.       #       -> Break: over privileges may be accorded later (i.e.: servers)

  181.       - >-

  182.         {6} to dn.one=ou=People,{{ ldap_basedn }}

  183.         by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write

  184.         by dn.children=ou=Server,{{ ldap_basedn }} read

  185.         by self read

  186.         by * break

  187.       # [1.5] -> No other access to People tree

  188.       - >-

  189.         {7} to dn.subtree=ou=People,{{ ldap_basedn }}

  190.         by * none

  191.       # [2] :: ou=Group

  192.       # [2.1] -> Admins can list groups

  193.       #       -> Servers can list groups

  194.       - >-

  195.         {8} to dn.exact=ou=Group,{{ ldap_basedn }} attrs=entry

  196.         by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} read

  197.         by dn.children=ou=Server,{{ ldap_basedn }} read

  198.         by * none

  199.       # [2.2] -> Admins can create/delete groups

  200.       - >-

  201.         {9} to dn.exact=ou=Group,{{ ldap_basedn }} attrs=children

  202.         by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write

  203.         by * none

  204.       # [2.3] -> Admins can edit group members

  205.       #       -> Server can list group members

  206.       - >-

  207.         {10} to dn.one=ou=Group,{{ ldap_basedn }}

  208.         by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write

  209.         by dn.children=ou=Server,{{ ldap_basedn }} read

  210.         by * none

  211.       # [2.2] -> No other access to Group tree

  212.       - >-

  213.         {11} to dn.children=ou=Group,{{ ldap_basedn }}

  214.         by * none

  215.       # [3] :: ou=Server

  216.       # [3.0] -> Local servers can simple-bind their entries if using TLS

  217.       # /Server using TLS-client Auth with OU=Server are automatically authenticated

  218.       ## TODO: Add peername.ip filtering on server subnet

  219.       - >-

  220.         {12} to dn.children=ou=Server,{{ ldap_basedn }} attrs=userPassword

  221.         by anonymous {{ 'tls_ssf=256 ' if ldap_tls_enabled }}auth

  222.         by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write

  223.         by * none

  224.       # [3.1] -> No other access to Server tree

  225.       - >-

  226.         {13} to dn.subtree=ou=Server,{{ ldap_basedn }}

  227.         by * none

  228.       # [4] :: ou=VirtualDomains - WiP

  229.       # [4.0] -> Admins can write whole subtree

  230.       # [4.1] -> Servers can read whole subtree

  231. #      - >-

  232. #        to dn.subtree=ou=VirtualDomains,{{ ldap_basedn }}

  233. #         by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write

  234. #         by dn.children=ou=Server,{{ ldap_basedn }} read

  235.       # [5] :: ou=Kerberos - Wi

  236. ...

  237.